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EFPIA Response to EDPB consultation on Guidelines 08/2020 on the targeting of social media users 


The European Federation of Pharmaceutical Industries and Associations (“EFPIA”) welcomes the 
opportunity to submit comments on the European Data Protection Board’s (“Board”) draft guidelines on 
the targeting of social media users (Guidelines 8/2020). EFPIA represents the biopharmaceutical 
industry operating in Europe. 


A. THE BOARD’S DRAFT GUIDELINES WOULD HAVE A BROADER APPLICATION THAN INDICATED BY THE BOARD 


EFPIA has chosen to participate in this consultation because it is concerned that the Board’s approach to 
this issue could adversely impact a wide range of stakeholders in Europe. The Board’s draft guidelines 
focus on social media providers and other actors involved in the delivery of advertising to social media 
users. However, the Board’s analysis of the joint controller designation undoubtedly will have a more 
sweeping application across a range of other stakeholders that operate online. These include other 
activities of private companies and non-for-profit organizations — such as patient support groups — on 
social media (and beyond). The Board’s analysis will result in these many diverse stakeholders all being 
labelled “joint controllers” in contexts where this designation is not applied today. 


For that reason, EFPIA maintains that the Board should engage more meaningfully with representatives 
of other sectors, who will inevitably be affected by these guidelines, to better understand the variety of 
social media uses. EFPIA therefore calls upon the Board to postpone the final adoption of the guidelines 
and reinitiate the consultation process, in order to solicit further input from all relevant stakeholders, 
carefully examine the technical complexity of this issue, and consider the broader needs and interests of 
all relevant stakeholders. 


B. THE DRAFT GUIDELINES ADOPT AN OVERLY EXPANSIVE NOTION OF THE CONCEPT OF “JOINT CONTROLLER” 


The draft Guidelines support a very expansive application of the joint controller concept, including in 
cases where this is not warranted. Especially in use cases such as Example 1 of the draft Guidelines 
(para. 37), the link between the entity contracting with the social media platform and the personal data 
concerned is too weak to allocate controller-responsibility to that entity. 


1. Overly Broad Definition of the Purpose 


The Board appears to follow an all-encompassing and expansive interpretation of the GDPR’s “joint 
controller” doctrine, in large part by assigning to social media service providers and “targeters” the 
same broadly-stated aim, namely: “display[ing] a specific advertisement to a set of individuals (in this 
case social media users) who make up the target audience”. The Board can only come to a joint 
controller qualification of social media providers and “targeters” on the basis of a very expansive 
interpretation of the processing purpose. The Board’s approach contradicts positions taken when they 


have considered other GDPR requirements. For example, the Board emphasized in one recent guidance 
paper the importance of defining processing purposes with specificity, stating: 


“The purpose of the collection must be clearly and specifically identified: it must be detailed 
enough to determine what kind of processing is and is not included within the specified purpose, 
and to allow that compliance with the law can be assessed and data protection safeguards 
applied.” 


2. Overly Expansive Interpretation of Controller 


The guidance starts from the premise that the joint controller designation will be generally applicable in 
this advertising space and proposes that controllers jointly define their respective areas of control on a 
case-by-case basis. EFPIA accepts that the circumstances must be assessed individually on the facts. 
However, while it may be true that in use cases such as Example 1, a company causes the processing to 
take place, attributing controller designation to a company solely because it has requested a service that 
will eventually result in the processing of personal data is an over-extension of the controller concept. 
The mere decision to use a service does not mean that one necessarily exercises decisive influence over 
how the service provider processes personal data. 


Controllers determine the purpose and means of processing. In an Example 1 context, the company 
concerned has control over neither the means nor the data itself. It only controls a very high-level 
purpose that is not clearly linked to any defined processing operation. Even if it wanted to, the 
company cannot make joint determinations of any of the key aspects of the processing, such as legal 
basis, transparency, data subject rights and data breaches. Asa result, it cannot be considered a joint 
controller. 


While the Board tries to base its position on decisions of the Court of Justice, on closer examination, it 
appears that the referenced cases lack relevance with regards to Example 1 in the Guidelines. In the 
cases related to Facebook plug-ins (Fashion-ID - C-40/17) and Facebook Fan pages (Wirtschaftsakademie 
- C-210/16), the relevant companies are actively engaged on the platform, either through the plug-ins 
they decide to place on their website, or through the users they attract to their fan page. Thisisin 
contrast to Example 1, where the company concerned does not actively use the social media service 
contracted with to meet its objective. Without such an inextricable link or decisive influence, a joint 
controller designation is unfounded. Similarly, the Jehovah’s Witnesses decision (Case C-25/17) lacks 
relevance because of the very specific nature of the underlying facts in that case, which can be easily 
differentiated from social media. Pharmaceutical companies and social media platforms are not part of 
the same organization; they are not members of the same religious community directed by a central 
body issuing instructions on how to interact with the wider world. 


In short, the Board’s draft guidelines blur the boundary between service providers and their customers, 
and thus apparently seeks to make companies co-regulators of social media platforms. EFPIA is strongly 
of the opinion that Supervisory Authorities already have sufficient tools to address platforms directly; as 
such, they should not shift this responsibility to client companies that use social media platforms as a 
service. Moreover, an overly expansive use of the concept of joint controller is unlikely to be conducive 
to a better protection of individuals. It increases complexity and legal uncertainty, it blurs the lines of 


responsibility and accountability, and it may result in more confrontation and legal proceedings among 
relevant stakeholders. Instead, EFPIA contends that the final guidance should explicitly define a “non- 
controller” designation for an entity that has no access to personal data, no ability to meet the 
responsibilities of a controller in relation to data subjects, and no control over the means of processing. 


EFPIA appreciates the opportunity to provide the Board with its perspectives on the draft guidelines, and 
reiterates its plea for the Board to suspend the finalization of these guidelines and reinitiate the 
consultation process, in order to gather meaningful input from all relevant stakeholders. 


